I upgraded some machines to XP SP3, and now whenever the user tries to install anything they get a "You must be an administrator" dialog box; however I went in locally and added the user as part of the Administrator's group to the local computer's Users and Groups (i.e. Admin Tools -> Computer Management -> Local Users and Groups). The user has standard rights on the domain but nothing that would block this; users on SP2 don't have this problem and can install software.

How do I go about fixing this? It's getting annoying for the users to have to call me over and then have to log out, then log back in as the local Administrator account in order to install anything or configure an IP printer (option is grayed out except with Administrator account).

Copy WHOAMI.EXE from a Windows Server 2003 machine down to one of the XP machines. Logon as the user who is supposed to be an 'Administrator' and run WHOAMI /ALL. Do you see the 'Administrators' group listed as one of the groups they are a member of? It sounds to me like the user isn't actually getting 'Administrators' group membership for some reason (Restricted Groups policy?).
–
Evan AndersonJun 3 '09 at 13:58

This seems workstation-suppport-like, but I'm pretty sure there are some GPO/domain settings that can cause this. Should be some interesting responses.
–
Kara MarfiaJun 3 '09 at 14:03

Instead of "coming over" when an unprivileged user needs to run something as an administrator, why not launch the privileged task on the remote machine with psexec from your console? Doesn't hurt to open a Remote Assistance session first so you can see what the user is doing. (This is also very helpful if you need to open, e.g., a privileged command prompt when giving remote assistance to an unprivileged user.)
–
SkyhawkApr 15 '10 at 16:48

IMO letting all users run as admin on their local machines is a pretty bad idea, if you are only doing it to make installation of software easier please heed the above comment about right-clicking and running the installation as admin with your own credentials.

You said the user has standard rights on the domain, which suggests a domain account, but you mentioned that the modifications you made were to a local user in "Local Users and Groups". These are two separate concepts.

First, is the user logging on as a local user or domain user? When they log on, is domain set to "Computer name (this computer)", or "Domain name".

If it is a domain account, what you want to do is open Control Panel > User Accounts.
- Click Add
- Type the username and domain
- Choose "other" and set it to Administrators.

This gives that domain user administrative rights to that specific computer.